Tech Support Forum - View Single Post

fredmh · 09-27-2006, 11:40 PM

DISABLE ANTI-SPYWARE APPLICATIONS

Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system.

Microsoft AntiSpyware

Right click the Microsoft AntiSpyware icon located in the system tray
Click on Security Agents Status (Enabled)
Click on Disable Real-time Protection

----------------------------------------

SAFE MODE RE-BOOT

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).
In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS

These entries are still present in your HJT log. Did you miss fixing them? Please try again.

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O21 - SSODL: System - {45673737-D1D1-4ECA-8760-AD3EFE7B0541} - dgflib.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------

Do you recognize this file?

C:\Documents and Settings\Puraj\IOGuyou.exe

If not, please submit it to his web page for analysis: http://www.bleepingcomputer.com/subm....php?channel=4

Please put a link to your post in the message.

----------------------------------------

These exe files were infected and renamed. Therefore, the infection may still be present
The files should be deleted & the programs may need reinstallation

C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE (Renamed)
C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE (Renamed)
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE (Renamed)
C:\PROGRAM FILES\APOINT\APOINT.EXE (Renamed)

----------------------------------------

FOLLOW-UP

Please return and post these items:

A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

09-27-2006, 11:40 PM	#12 (permalink)
fredmh Analyst, Security Team ; TSF Supporter Join Date: May 2006 Location: Phila,Pa Posts: 2,335 OS: XP	DISABLE ANTI-SPYWARE APPLICATIONS Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system. Microsoft AntiSpyware Right click the Microsoft AntiSpyware icon located in the system tray Click on Security Agents Status (Enabled) Click on Disable Real-time Protection ---------------------------------------- SAFE MODE RE-BOOT Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS These entries are still present in your HJT log. Did you miss fixing them? Please try again. Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe" O21 - SSODL: System - {45673737-D1D1-4ECA-8760-AD3EFE7B0541} - dgflib.dll (file missing) *Please remember to close all other windows, including browsers then click Fix checked.* ---------------------------------------- Do you recognize this file? C:\Documents and Settings\Puraj\IOGuyou.exe If not, please submit it to his web page for analysis: http://www.bleepingcomputer.com/subm....php?channel=4 Please put a link to your post in the message. ---------------------------------------- These exe files were infected and renamed. Therefore, the infection may still be present The files should be deleted & the programs may need reinstallation C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE (Renamed) C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE (Renamed) C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE (Renamed) C:\PROGRAM FILES\APOINT\APOINT.EXE (Renamed) ---------------------------------------- FOLLOW-UP Please return and post these items: A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode